Hi, I have installed shorewall on my mandrake box from the ''standalone'' quick start download - and it works fine. And I can currently transfer files via ftp over the internet with shorewall running, so long as I put the remote server into passive mode. However, in the last couple of days I have set up a lan connection with a single win2k box via a crossover cable. I would like also to be able to transfer files between the 2 boxes (via the crossover) using the ftp server on the win2k box. Shorewall won''t let me do this - though it works fine if I disable shorewall. What amendments are necessary to get this working with shorewall running ? I see no need to firewall-protect against *anything* that travels via the crossover - if that makes it simpler. The only stuff being sent will be sent by me. Nor does it matter to me if I have to put the win2k server into passive mode (just like with the internet ftp transfers). The ''zones'' file currently contains: net Net Internet The ''policy'' file currently contains: fw net ACCEPT net all DROP info all all REJECT info The ''rules'' file currently merely disables pinging from outside: DROP net fw icmp 8 I tried adding ''loc Loc Intranet'' to ''zones'' and ''fw loc ACCEPT'' to ''policy'' but that didn''t help. Was that a step in the right direction ? What else is needed ? Cheers, Rob -- Any emails containing attachments will be deleted from my ISP''s mail server before I even get to see them. If you wish to email me an attachment, please provide advance warning so that I can make the necessary arrangements.
On Fri, 14 Nov 2003, Sisyphus wrote:> I have installed shorewall on my mandrake box from the ''standalone'' > quick start download - and it works fine. And I can currently transfer > files via ftp over the internet with shorewall running, so long as I put > the remote server into passive mode. >Then something is wrong from the beginning. Both passive and active FTP should work "out of the box". If not, you need to look at http://www.shorewall.net/FTP.html.> However, in the last couple of days I have set up a lan connection with > a single win2k box via a crossover cable. I would like also to be able > to transfer files between the 2 boxes (via the crossover) using the ftp > server on the win2k box. Shorewall won''t let me do this - though it > works fine if I disable shorewall. > > What amendments are necessary to get this working with shorewall running > ? I see no need to firewall-protect against *anything* that travels via > the crossover - if that makes it simpler. The only stuff being sent will > be sent by me. Nor does it matter to me if I have to put the win2k > server into passive mode (just like with the internet ftp transfers). > > The ''zones'' file currently contains: > net Net Internet > > The ''policy'' file currently contains: > fw net ACCEPT > net all DROP info > all all REJECT info > > The ''rules'' file currently merely disables pinging from outside: > DROP net fw icmp 8 > > I tried adding ''loc Loc Intranet'' to ''zones'' and > ''fw loc ACCEPT'' to ''policy'' but that didn''t help. > > Was that a step in the right direction ? What else is needed ? >My recommendation is to follow http://www.shorewall.net/two-interface.htm rather than trying to hack the standalone configuration to make it a two-interface one. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > Then something is wrong from the beginning. Both passive and active FTP > should work "out of the box". If not, you need to look at > http://www.shorewall.net/FTP.html. >Actually it''s the client that I''m having to put into passive mode. (My mistake.) From the ''Shorewall and FTP'' page I see "passive mode access from local clients to remote servers will always work but active mode requires the firewall to dynamically open a "hole" for the server''s connection back to the client." I guess that the "hole" is not being dynamically opened when I use perl as the ftp client - though, iirc, the hole does get opened if I use the linux command line ftp utility. Someone let me know if I ought to be worried about that ......> > My recommendation is to follow http://www.shorewall.net/two-interface.htm > rather than trying to hack the standalone configuration to make it a > two-interface one. > >Ok. All I really want is for the firewall to behave in exactly the same way as it currently is wrt the internet, but to interfere in no way at all wrt what travels down the crossover cable. I thought that might most easily be achieved with some modification to what I currently have .... but I understand so little about these matters .... which is why I was loathe to try a complete new configuration. Time do some reading up, I guess :-) Thanks Tom. Cheers, Rob -- Any emails containing attachments will be deleted from my ISP''s mail server before I even get to see them. If you wish to email me an attachment, please provide advance warning so that I can make the necessary arrangements.
On Sat, 15 Nov 2003, Sisyphus wrote:> > Actually it''s the client that I''m having to put into passive mode. (My > mistake.) From the ''Shorewall and FTP'' page I see "passive mode access > from local clients to remote servers will always work but active mode > requires the firewall to dynamically open a "hole" for the server''s > connection back to the client." I guess that the "hole" is not being > dynamically opened when I use perl as the ftp client - though, iirc, the > hole does get opened if I use the linux command line ftp utility. >Absolutely absurd.> Someone let me know if I ought to be worried about that ......Well, I''m certainly not going to worry about it if you''re not.> > > > > My recommendation is to follow http://www.shorewall.net/two-interface.htm > > rather than trying to hack the standalone configuration to make it a > > two-interface one. > > > > > > Ok. All I really want is for the firewall to behave in exactly the same > way as it currently is wrt the internet, but to interfere in no way at > all wrt what travels down the crossover cable. I thought that might most > easily be achieved with some modification to what I currently have .... > but I understand so little about these matters .... which is why I was > loathe to try a complete new configuration.Which is why you should use standard Shorewall setup''s that match your configuration. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> On Sat, 15 Nov 2003, Sisyphus wrote: > > >>Actually it''s the client that I''m having to put into passive mode. (My >>mistake.) From the ''Shorewall and FTP'' page I see "passive mode access >>from local clients to remote servers will always work but active mode >>requires the firewall to dynamically open a "hole" for the server''s >>connection back to the client." I guess that the "hole" is not being >>dynamically opened when I use perl as the ftp client - though, iirc, the >>hole does get opened if I use the linux command line ftp utility. >> > > > Absolutely absurd. >Yes - I don''t recall correctly - I''ve just checked and the perl ftp client and the command line ftp utility exhibit exactly the same behaviour. I can connect, but a simple ls command hangs when the client is not in passive mode (and the firewall is running). Still .... I suspect that my absolute absurdity extends beyond just that segment of what I wrote. I''ll pore over the documentation and see if I can deduce something sensible :-)> >>Someone let me know if I ought to be worried about that ...... > > > Well, I''m certainly not going to worry about it if you''re not. >Now that I realise it''s not normal, I certainly intend to puzzle over it and "normalise" the behaviour if possible. Apologies for any irritation. I''ll go away now ... for a little while at least :-) Cheers, Rob -- Any emails containing attachments will be deleted from my ISP''s mail server before I even get to see them. If you wish to email me an attachment, please provide advance warning so that I can make the necessary arrangements.
Sisyphus wrote:> Yes - I don''t recall correctly - I''ve just checked and the perl ftp > client and the command line ftp utility exhibit exactly the same > behaviour. I can connect, but a simple ls command hangs when the client > is not in passive mode (and the firewall is running). > Still .... I suspect that my absolute absurdity extends beyond just that > segment of what I wrote. I''ll pore over the documentation and see if I > can deduce something sensible :-)Is ip_conntrack_ftp and ip_nat_ftp not loaded? Then you also get this behaviour. -- Groeten, Peter -- Ik snoof ooit Coke, maar de ijsblokjes blokkeerden mijn neusgaten. --- --- Heb je een Dreambox 7000S ? --- Kijk eens op http://www.dreamvcr.com --- Kijk ook op http://www.lindeman.org --- ICQ 22383596 --- Uptime lindeman.org - 69 days, 21 hours and 29 minutes, 1 user logged in.
Peter Lindeman wrote:> Sisyphus wrote: > >> Yes - I don''t recall correctly - I''ve just checked and the perl ftp >> client and the command line ftp utility exhibit exactly the same >> behaviour. I can connect, but a simple ls command hangs when the >> client is not in passive mode (and the firewall is running). >> Still .... I suspect that my absolute absurdity extends beyond just >> that segment of what I wrote. I''ll pore over the documentation and see >> if I can deduce something sensible :-) > > > Is ip_conntrack_ftp and ip_nat_ftp not loaded? Then you also get this > behaviour. >Yes, they''re not loaded, though I can see files named ''ip_conntrack_ftp.o.gz'' and ''ip_nat_ftp.o.gz'' in ''/lib/modules/`uname -r`/kernel/net/ipv4/netfilter''. I''ll see if I can get them to load tomorrow - probably should get some sleep right now :-) Btw, this is mdk-9.1, if that''s at all relevant. Thanks Peter. Cheers, Rob -- Any emails containing attachments will be deleted from my ISP''s mail server before I even get to see them. If you wish to email me an attachment, please provide advance warning so that I can make the necessary arrangements.
On Sat, 2003-11-15 at 05:29, Sisyphus wrote:> Peter Lindeman wrote: > > Sisyphus wrote: > > > >> Yes - I don''t recall correctly - I''ve just checked and the perl ftp > >> client and the command line ftp utility exhibit exactly the same > >> behaviour. I can connect, but a simple ls command hangs when the > >> client is not in passive mode (and the firewall is running). > >> Still .... I suspect that my absolute absurdity extends beyond just > >> that segment of what I wrote. I''ll pore over the documentation and see > >> if I can deduce something sensible :-) > > > > > > Is ip_conntrack_ftp and ip_nat_ftp not loaded? Then you also get this > > behaviour. > > > > Yes, they''re not loaded, though I can see files named > ''ip_conntrack_ftp.o.gz'' and ''ip_nat_ftp.o.gz'' in ''/lib/modules/`uname > -r`/kernel/net/ipv4/netfilter''.You need Shorewall 1.4.7 or later if you want Shorewall to load modules with "o.gz" names for you automatically. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > You need Shorewall 1.4.7 or later if you want Shorewall to load modules > with "o.gz" names for you automatically. >I installed the two-interface config yesterday and found it behaved in pretty much the same way - but upgrading to 1.4.8 has made the world of difference. FTP transactions over the net can now be conducted in both passive and active modes. Initially, the ftp transactions over the local network still would not work (couldn''t even find the server), so I added the following to the rules file: ACCEPT fw loc tcp 21 With that line in place, local network ftp transactions work fine (in both modes). I mention it in case I still haven''t got it quite right .... heaven forbid !! Thanks again. Cheers, Rob -- Any emails containing attachments will be deleted from my ISP''s mail server before I even get to see them. If you wish to email me an attachment, please provide advance warning so that I can make the necessary arrangements.
On Sun, 16 Nov 2003, Sisyphus wrote:> Initially, the ftp transactions over the local network still would not > work (couldn''t even find the server), so I added the following to the > rules file: > > ACCEPT fw loc tcp 21 > > With that line in place, local network ftp transactions work fine (in > both modes). > > I mention it in case I still haven''t got it quite right .... heaven > forbid !! >If you want to avoid future need to add rules between ''fw'' and ''loc'', you can alter your /etc/shorewall/policy file to include: loc fw ACCEPT fw loc ACCEPT Now all traffic can pass between the two boxes uncontested. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net